NEW YORK – New York Attorney General Letitia James recently announced that she has co-led a coalition of 50 Attorneys General in reaching the largest data breach settlement in history with Equifax Inc., as a result of an investigation into the company’s massive 2017 data breach that exposed the personal information of nearly half the U.S. population. The Attorneys General secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and significant injunctive relief for consumers.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said Attorney General Letitia James. “This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population. Now it’s time for the company to do what’s right and not only pay restitution to the millions of victims of their data breach, but also provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future.”
“Credit rating agencies have a responsibility to safeguard consumers’ financial and personal information, and this egregious data breach and the agency’s response was completely unacceptable,” said New York Governor Andrew Cuomo. “In New York we are sending a clear message to these agencies that they will be held accountable if they leave consumers’ private data vulnerable to exposure, and we will continue our rigorous oversight of these agencies to ensure New Yorkers are protected in the future.”
On September 7, 2017, Equifax — one of the big three consumer credit reporting agencies — announced a data breach, ultimately affecting over 147 million consumers, or 56-percent of American adults, making it one of the largest-ever breach of consumer data in history. New York, alone, had 8,542,568 residents whose personal information was illegally accessed.
Breached information included Social Security numbers, names, dates of birth, addresses, credit card numbers, and, in some cases, driver’s license numbers. Shortly after, a coalition — that has since grown to 50 Attorneys General — launched a multi-state investigation into the breach.
The investigation found that attackers were able to exploit a vulnerability in Equifax’s system by targeting the Apache Struts web-application software — a widely used enterprise platform. While Equifax was informed of a vulnerability in March 2017, the company failed to patch all of its systems and failed to replace the software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system, which went unnoticed for 76 days.
Under the terms of the settlement, Equifax will be required to pay restitution to affected consumers in a multitude of ways. First, the company has agreed to provide a single Consumer Restitution Fund of up to $425 million — $300 million will initially be dedicated to compensation, with an additional $125 million available if initial funds are depleted. The program to pay restitution to consumers will be conducted in connection with settlements that have already been reached in the multi-district class action suits filed against Equifax, as well as with settlements that have been reached with the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). Equifax will pay an additional $50 million to the CFPB.
Consumers who are eligible for redress will be required to submit claims showing they have been a victim of fraud or have taken proactive steps to set up credit monitoring services by submitting documents online or by mail.
Next, Equifax has agreed to offer consumers, who had their data exposed, with free credit-monitoring services for up to 10 years. Consumers that take part in the service will have up to $1 million of identity theft insurance available — at no deductible — to cover identity recovery expenses and legal costs. The first four years of credit-monitoring service will include monitoring of all of the big three credit reporting agencies, while years five through 10 will be made available through Equifax.
Additionally, Equifax has agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen. These steps include making it easier for consumers to freeze and thaw their credit, and dispute inaccurate information in credit reports, as well as maintain sufficient staff to assist consumers who may be victims of identity theft.
A new website will soon allow consumers to learn more about the Restitution Fund, enroll in credit-monitoring services, and have their questions answered. In the meantime, consumers can sign up to receive email updates regarding the launch of the Equifax Settlement Breach online registry at http://www.ftc.gov/equifax-data-breach. Consumers can also call 1-833-759-2982 for more information.
Equifax has spent hundreds of millions of dollars to strengthen its security practices and will continue to do so going forward by, among other things:
* Reorganizing its data security team, including the designation of a Chief Security Officer, who shall report regularly to the Board of Directors about Equifax’s security posture;
* Running regular simulated exercises to test its ability to respond to a security event;
* Encrypting personal information stored on their system or adopting similar control mechanisms;
* Prohibiting the use of Social Security numbers as a sole authenticator, and otherwise limiting their use;
* Adopting two-factor authentication and password rotation policies;
* Performing regular security monitoring, logging, and testing of its systems;
* Reorganizing and segmenting its network; and
* Reorganizing its patch management team, and subsequently employing new policies to identify and deploy critical security updates and patches.
Equifax has also agreed to regular third-party assessments to evaluate whether it’s administrative, technical, and physical safeguards meet the requirements provided in the agreement.
Finally, as part of the settlement, Equifax has agreed to pay the 48 states involved in the lawsuit, the District of Columbia, and the Commonwealth of Puerto Rico a total of $175 million as a fine, $9,186,782.83 million of which will be delivered to the State of New York.
The settlement requires court approval.
Additionally, the New York State Department of Financial Services (DFS) separately investigated Equifax’s security practices, and found that the company engaged in practices that violated the Dodd-Frank Act and Financial Services Law § 408. As a result, Equifax will be fined an additional $10 million by DFS, bringing the total New York State will receive in fines to more than $19.2 million.
“First and foremost, the settlement announced today holds Equifax accountable for its egregious breach in its duty to consumers in safeguarding their sensitive personal identifying information and restores some peace of mind and protection to New Yorkers,” said DFS Superintendent Linda Lacewell. “Strengthening consumer protections for New Yorkers, DFS now requires credit rating agencies to be licensed and supervised by DFS, and comply with the Department’s landmark cybersecurity regulation to better guard against potential breaches.”
Joining Attorney General James in announcing the multistate settlement are the Attorneys General of Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming, the District of Columbia, and the Commonwealth of Puerto Rico.
New York was represented in this settlement by Clark Russell, Deputy Bureau Chief of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is overseen by Chief Deputy Attorney General for Economic Justice Christopher D’Angelo.